Share This Story!

How stolen credit cards are fenced on the Dark Web

The data snatched from Home Depot, P.F. Chang's, Target and other massive breaches end up in the Internet's underground marketplaces. The websites that fence the stolen data are known as "carder forums."

Credit card data stolen from retailers such as Target, Sally Beauty Supply, P.F. Chang's, and now perhaps Home Depot, are flooding into underground hacker forums where customers' card numbers, names and addresses can be sold for as little as $1 each.

Tuesday, a large batch of credit and debit card information that appears to be from Home Depot went on sale on such an underground marketplace, known as a "carder forum." A Home Depot spokeswoman confirmed that the company had contacted its banks and law enforcement to look into "unusual activity" but did not confirm a breach.

Carder forums "are the Craig's List of the hacker underground," says Neal O'Farrell, an identity theft expert at Credit Sesame and founder of the non-profit Identity Theft Council, based in San Francisco.

"It's not just cards. It's phishing kits, malware, spammer lists," O'Farrell said. "It's a like a shopping mall for cybercrime."

O'Farrell opened an account on one carder forum, rescator.la, where he was able to peruse offers for millions of Target credit cards. The website, registered in Latvia, listed the card information along with ZIP codes and e-mail addresses — information that makes it easier for criminals to use the cards to purchase goods online or withdraw money from bank accounts.

The hacker asked for payment in Bitcoin, a difficult-to-trace digital currency.

Journalist Brian Krebs of KrebsonSecurity.com wrote that he found the newest batch of cards on that site.

When credit information stolen from Target appeared for sale in the forums, individual card numbers fetched up to $120 each, O'Farrell says. Within weeks, as banks started to cancel the cards, the prices dropped to $8 a card, he says. Seven months after Target learned of the breach, they are nearly worthless.

"The most important part of the price is the freshness, before the victim knows they've been breached and when no one is canceling," he says. "The guarantees on the cards dwindle the older they get."

A USA TODAY investigative series on the Dark Web(Photo: Jerry Mosemak)

To outrun law enforcement, the most sophisticated criminal hackers hide their "carder forums" on the "Dark Web," which uses The Onion Router, known as TOR, to conceal the location of the computer servers hosting the websites. TOR ensures secrecy by randomly routing computer messages through several places on the Internet, wrapped in encrypted code, so no single point can link the source to the destination, making the sites nearly impossible to trace.

FROM YOUR WALLET TO CYBERDEN

Criminals can break into companies' databases with malicious software purchased online from computer hackers, who mostly operate out of Eastern Europe and Russia, says Tom Kellermann, chief cybersecurity officer for Dallas-based Trend Micro. The software can infiltrate a database, spread its code like a virus, and remain undetected for months. When a customer swipes a credit or a debit card, the software captures the information, stores it, then sends it in bulk to the cybercriminals.

Once the information is collected, members of the cybergang test it and sort it into bundles that are priced, then sold in the underground sites, Kellermann says. Bundles range from 500 cards to 10,000 cards.

To ensure the cards work, the cyberthieves use an automated system to charge a small amount — around the price of a cup of coffee — to 10,000 cards at a time.

The tests determine the card's validity and credit limit. Cards with the highest credit limits, such as an American Express Platinum card, sell for the most money, Kellermann says. A card number with a low limit might sell for $1 or $2, while a high limit can sell for $15 or considerably more.

QUICK WINDOW OF VALUE

The recent series of data breaches have flooded the market with cards, which must be moved quickly before they lose their value, Kellermann says.

Some of the criminals who buy the cards use the data to shop online. Others create credit cards from blank plastic cards, known as "white classics" that can be purchased online and imprinted with the data. The buyers must move quickly, too, before consumers notice fraud charges and call their banks to cancel the cards.

In April 2013, Tavarez and his four accomplices purchased at least 200 stolen credit card numbers from a "carding" website, encoded the stolen account information onto counterfeit cards and purchased dozens of store gift cards and merchandise at stores in New York, New Jersey, Pennsylvania, Connecticut, Rhode Island and Massachusetts, federal prosecutors said.

Kellermann says the FBI is becoming more skilled at catching the cybercrooks, and companies are employing better software to catch the breaches. On average, a company detects a breach within five months of the infiltration, Kellermann says.

"That window is shrinking dramatically," he says. "So the criminals typically have one billing cycle to have a shopping spree."